Skip to content

Add validation to maven package version

What does this MR do?

Description

The Maven Package version does not have validation new a new package is persisted in the database. This MR solves this issue by adding active record validations to the version when a maven package is created.

Proposed solution

Following the suggestion and possible regexp in #214429 (closed) with the version format in the maven version doc. The regex is currently been used %r{\A(\d+)(\.\d+)(\.\d+)$|^(\d+)(\.\d+)$|^(\d+)(\.\d+)(-.+)$|^(\d+)(\.\d+)(\.\d+)(-.+)\z}.freeze is slightly different from the possible regex given in #214429, this is because the following valid examples from maven version doc did not match the possible regex:

  1. 1.4.2-12
  2. 12.1.2-0-0

and the version like 1, 3 matches this regex which I think is invalid versions.

The regex currently used ensures that the examples of valid versions are matched.

Updates

!32925 (comment 348791023)

After further discussion with @10io we agreed on using a different regex that:

\A[1-9]\d*\.\d+\.\d+\z|\A[1-9]\d*\.\d+\z|\A[1-9]\d*\z|\A[1-9]\d*\.\d+-.+\z|\A[1-9]\d*-.+\z|\A[1-9]\d*\.\d+\.\d+-.+\z
  1. Matches values single-digit version like 1, 4, 12. More details in !32925 (comment 348791023)
  2. Remove the capturing groups. Since it's not needed.
  3. Replace ^ with \A and $ with \z. As it is to be coherent with the other regexps in the file.
  4. Does not match versions that start with 0, for example,
  5. Matches versions that include 0 but does to starts with 0. Example of invalid versions are 01, 03.2, etc, while valid versions are 10, 20.2, 30.4.5, etc

!32925 (comment 349988242)

Following a review from @splattael, we agreed on reworking the regex and not supporting versions that are non-starndard according to the documentation https://docs.oracle.com/middleware/1212/core/MAVEN/maven_version.htm#MAVEN8855

\A[1-9]\d*(\.\d+(\.\d+)?)?(-\w+)*\z

!32925 (comment 350660155)

After testing the above regex with existing versions and got a list of 20k+ rejected versions, the regex is changed to accommodate more versions. To keep things as compatible as possible, we allow any char except / and % and reject any whitespace char

\A[^\/%\s]+\z

!32925 (comment 358086694)

Following security review from @vdesousa we change the regex to follow a whitelisting approach and reject versions that start with .., this result to 6 rejected exiting versions. Which a documentation is added in the Maven Repository about it in !32925 (b8b01ce2) The below regex is the currently used regex

\A(\.?[\w\+-]+\.?)+\z

Screenshots

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by 🤖 GitLab Bot 🤖

Merge request reports

Loading